Fed Board Delays New Same Day ACH Processing Window Until March 2021

The effective date of the new same-day Automated Clearing House (“ACH”) processing window (which would expand the end-of-day deadline to originate same-day transactions by two hours to 4:45 p.m. ET (1:45 p.m. PT)) has been deferred by six months to March 19, 2021.  The Federal Reserve Board of Governors (the “Fed Board”) has informed the national administrator of the ACH network (the “NACHA”) that the Fed Board currently cannot commit to change the Federal Reserve services necessary to enable the new window by June 30, 2019 (the deadline that was agreed upon per Supplement #1-2018 to the NACHA Operating Rules provided for in the rule).

Previously, the Fed Board informed NACHA that it would need to issue a request for public comment about changes to Federal Reserve services before committing to adjust the Federal Reserve systems to conform with the new window.  Notably, such a public comment notice has not been issued, and the Fed Board has not informed NACHA when the notice will be issued.

Cheryl Venable, executive vice president and retail payments product manager for the Federal Reserve Bank of Atlanta, indicated concern about a possible delay in a January 2018 letter to NACHA.  In the letter, she explained that technical difficulties could occur with onboarding the same-day processing that poise major security and operational risks.  She further explained that the impact of the processing window change affects not only the ACH but, also, other Federal Reserve upstream, downstream, and interdependent applications.  Internal and external customer-facing services such as the Fedwire Funds, Fedwire Securities, accounting applications, and billing are all examples of applications that could be affected.

FTC Seeking Comments on Changes to Safeguards Rule and Privacy Rule Under Gramm-Leach-Bliley Act

The Federal Trade Commission (the “FTC”) is seeking public comments on proposed changes to the Safeguards Rule and the Privacy Rule under the Gramm-Leach-Bliley Act to better protect consumers and provide greater certainty for businesses.

The Safeguards Rule requires a financial institution to develop, implement, and maintain a comprehensive information security program.  To this end, the FTC is proposing changes to the Safeguards Rule to add more detailed requirements for what should be included in the comprehensive information security program mandated by the rule, including consumer data encryption requirements, access controls to consumer data, and multifactor-authentication for access to consumer data.

The Privacy Rule requires a financial institution to inform customers about its information-sharing practices and allow customers to opt out of having their information shared with certain third parties.  However, The Dodd-Frank Act transferred the majority of the FTC’s rulemaking authority for the Privacy Rule to the Consumer Financial Protection Bureau, leaving the FTC with rulemaking authority only over certain motor vehicle dealers.  To address these statutory changes, the FTC has proposed to clarify when motor vehicle dealers must provide annual privacy notices to reflect provisions included in the FAST Act.

Additionally, the FTC also is proposing to expand the definition of “financial institution” in both the Privacy Rule and the Safeguards Rule to specifically include “finders,” (those who charge a fee to connect consumers to lenders.

Overall, the proposed changes would more closely align the Gramm-Leach-Bliley Act’s Safeguards Rule and the Privacy Rule with changes implemented by Congress through the Dodd-Frank Act in 2010 and the FAST Act in 2015.